CN110113435A - A kind of method and apparatus of flow cleaning - Google Patents

A kind of method and apparatus of flow cleaning Download PDF

Info

Publication number
CN110113435A
CN110113435A CN201910444437.7A CN201910444437A CN110113435A CN 110113435 A CN110113435 A CN 110113435A CN 201910444437 A CN201910444437 A CN 201910444437A CN 110113435 A CN110113435 A CN 110113435A
Authority
CN
China
Prior art keywords
safeguard
network
attack traffic
attack
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910444437.7A
Other languages
Chinese (zh)
Other versions
CN110113435B (en
Inventor
杨雪皎
贺艳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201910444437.7A priority Critical patent/CN110113435B/en
Publication of CN110113435A publication Critical patent/CN110113435A/en
Application granted granted Critical
Publication of CN110113435B publication Critical patent/CN110113435B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1036Load balancing of requests to servers for services different from user content provisioning, e.g. load balancing across domain name servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/63Routing a service request depending on the request content or context

Abstract

The invention discloses a kind of methods and apparatus of flow cleaning, it is related to field of communication technology, to solve the problems, such as at present can only separately through local network safeguard or cloud device protecting to attack traffic, the method of the present invention includes: Network Traffic Monitoring equipment after detecting attack traffic, determines the size of the attack traffic;The Network Traffic Monitoring equipment determines the safeguard cleaned to the attack traffic according to the size of the attack traffic and the protective capacities of safeguard, wherein the safeguard includes local network safeguard and cloud network safeguard, and the protective capacities of the safeguard indicates the ability that the safeguard protects attack traffic and cleans;The Network Traffic Monitoring equipment draws the attack traffic to determining safeguard, since the present invention can select to realize intelligentized flow cleaning to safeguard according to the size of attack traffic and the protective capacities of safeguard.

Description

A kind of method and apparatus of flow cleaning
Technical field
The present invention relates to technical field of network security, in particular to a kind of method and apparatus of flow cleaning.
Background technique
With the arrival of internet 2.0, network more depth and people's lives weave in.Network security Importance it is more significant, as the type of domestic and international network attack emerges one after another the surge with attack traffic, gradually rise A kind of flow cleaning technology detects and controls attack traffic, to ddos attack (Distributed Denial of Service, distributed denial of service attack) and network intrusions monitoring have the effect of it is splendid.
The principle of flow cleaning is after finding attack, by changing flow routing direction, by flow lead Attack traffic is cleaned to local network safeguard or cloud network safeguard, is later recycled into normal discharge In network.
Although being constrained to bandwidth and increasing however, the local protection of simple tradition can accomplish fine flow cleaning Add the cost of local safeguard, it is difficult to protect the attack of big flow;Although and the protectiving scheme in cloud can defend super large stream The attack of amount, but protect granularity not fine enough, it is difficult to optimize specific protectiving scheme for different client, therefore effect is not yet It is very ideal.
In conclusion can only be realized at present separately through network protection equipment or cloud safeguard to attack traffic It is protected, the advantage using the two is unable to fully, to preferably be protected.
Summary of the invention
The present invention provides a kind of method and apparatus of flow cleaning, can only realize at present to solve to exist in the prior art The protection that carries out of attack traffic is unable to fully utilize the two advantage separately through network protection equipment or cloud safeguard The problem of.
In a first aspect, a kind of method of flow cleaning provided in an embodiment of the present invention includes:
Network Traffic Monitoring equipment determines the size of the attack traffic after detecting attack traffic;
The Network Traffic Monitoring equipment is determined according to the size of the attack traffic and the protective capacities of safeguard To the safeguard that the attack traffic is cleaned, wherein the safeguard includes local network safeguard and cloud net Network safeguard, the protective capacities of the safeguard indicate the energy that the safeguard protects attack traffic and cleans Power;
The Network Traffic Monitoring equipment draws the attack traffic to determining safeguard.
The above method can since safeguard of the present invention includes local network safeguard and cloud network safeguard To select the safeguard cleaned to attack traffic according to the protective capacities of the size of attack traffic and safeguard, lead to Cross Network Traffic Monitoring equipment and carry out the selection of intelligent network protection module, thus be no longer separately through network protection equipment or Cloud safeguard is protected attack traffic, compared to the scheme cleaned separately through local or cloud, more Efficiently utilize the cleaning resource in local and cloud, and with more flow attacking network, the protection energy of safeguard Power and cleaning ability can be gradually reduced, and the size and safeguard for considering attack traffic when selecting safeguard are to attack The ability that flow is protected and cleaned, the safeguard cleaned to the attack traffic selected is more excellent, therefore clear Wash better effect.
In one possible implementation, the Network Traffic Monitoring equipment according to the size of the attack traffic and The protective capacities of safeguard determines the safeguard cleaned to the attack traffic, comprising:
The Network Traffic Monitoring equipment judges according to the size of the attack traffic and the protective capacities of safeguard Whether the local network safeguard that meets cleaning condition is had;
If so, then the Network Traffic Monitoring equipment is selected from the local network safeguard for meeting cleaning condition At least one local network safeguard is as the safeguard cleaned to the attack traffic;
Otherwise, the Network Traffic Monitoring equipment selects at least from the cloud network safeguard for meeting the cleaning condition One cloud network safeguard is as the safeguard cleaned to the attack traffic.
The above method, for lesser attack traffic, preferably local network safeguard, because of local network safeguard Protection fineness ratio cloud network safeguard it is high, different prevention policies can be chosen for different clients so as to reality Now finer cleaning, when attack traffic is larger, local network safeguard is limited to the limitation of bandwidth, selects cloud at this time End network protection equipment cleans attack traffic, further, since the safeguard cleaned to attack traffic needs completely Sufficient cleaning condition realizes the effective use of cleaning resource, in local network so as to realize more efficient flow cleaning Using local cleaning resource when protection module ability abundance, carried out when locally cleaning inadequate resource is to deal with using cloud resource Protection.
In one possible implementation, the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protection of safeguard The protection parameter that ability determines is less than protective capacities utilization rate threshold value, and the cleaning parameters determined by the protective capacities of safeguard Less than cleaning peak threshold.
The above method, as more flow attacking, the protective capacities and cleaning ability of safeguard can be gradually reduced, root After determining protection parameter and cleaning parameters according to the protection of safeguard and cleaning ability, the protection energy to safeguard may be implemented The quantificational expression of power, cleaning ability, and then maximum protection flow threshold of the size no more than safeguard of attack traffic is chosen, It protects parameter to be less than protective capacities utilization rate threshold value, cleaning parameters less than cleaning ability utilization rate threshold value, is selected by above-mentioned condition The safeguard selected is more excellent.
In one possible implementation, the method also includes:
The Network Traffic Monitoring device periodically sends prevention policies synchronic command to the safeguard of the determination, So as to carry out the shared of prevention policies between the local network safeguard and cloud network safeguard.
The above method, by prevention policies synchronic command trigger local network safeguard and cloud network safeguard it Between carry out the shared of prevention policies, cloud network safeguard can be made to obtain and finer except self-protection strategy in addition to prevented Shield strategy, to be that cloud network protection sets and realizes that choosing different prevention policies to different clients cleans attack traffic, enhancing The protection granularity of cloud network safeguard is shared prevention policies by cleaning in local and cloud, is conducive between resource Realization prevention policies optimization makes full use of progress prevention policies between each local cleaning resource and cloud cleaning resource shared, So that prevention policies are more intelligent, it is easy to implement efficient attack traffic cleaning.
Second aspect, a kind of method of flow cleaning provided in an embodiment of the present invention include:
Cloud network safeguard receives the attack traffic drawn by Network Traffic Monitoring equipment;
The cloud network safeguard cleans the attack traffic;
Wherein, the attack traffic is size and protection of the Network Traffic Monitoring equipment according to the attack traffic The protective capacities of equipment, which is determined, carries out cleaning rear haulage to the cloud to the attack traffic by the cloud network safeguard Network protection equipment is held, the safeguard includes local network safeguard and cloud network safeguard, the protection The protective capacities of equipment indicates the ability that the safeguard protects attack traffic and cleans.
The above method, since attack traffic is in Network Traffic Monitoring equipment according to the size of the attack traffic and anti- The protective capacities of shield equipment, which is determined, carries out what cleaning rear haulage came to attack traffic by cloud network safeguard, such case Under, the cleaning effect of local network safeguard is not so good as cloud, and the clear of big flow may be implemented in cloud network safeguard It washes, therefore triggers cloud safeguard and open cleaning, to being set separately through network protection equipment or cloud protection Standby protecting to attack traffic.
In one possible implementation, the cloud network safeguard cleans the attack traffic, packet It includes:
The cloud network safeguard selects and the target of attack IP of the attack traffic in prevention policies set The corresponding prevention policies in (Internet Protocol, Internet protocol) address;
The cloud network safeguard cleans the attack traffic according to the prevention policies.
The above method, cloud network safeguard is when cleaning attack traffic, no longer only according to the anti-of itself Shield strategy, but prevention policies corresponding with the target of attack IP address of the attack traffic are selected from prevention policies set, It realizes and chooses the flow cleaning that different prevention policies are more refined for different clients, enhance cloud network The protection granularity of safeguard realizes efficient attack traffic cleaning.
In one possible implementation, the cloud network safeguard selected in prevention policies set with it is described Before the corresponding prevention policies of target of attack IP address of attack traffic, further includes:
The cloud network safeguard receives the prevention policies that the local network safeguard is sent, and will be described anti- Shield strategy is added to the prevention policies set.
The above method, local network safeguard send prevention policies, cloud network protection to cloud network safeguard Equipment is integrated into prevention policies set after receiving the shared prevention policies of local network safeguard, to enrich cloud The prevention policies for holding network protection equipment, are no longer single self-protection strategies, convenient for improving cloud network safeguard Protect granularity.
The third aspect, a kind of equipment of flow cleaning provided in an embodiment of the present invention include: at least one processing unit with And at least one storage unit, wherein the storage unit is stored with program code, when said program code is single by the processing When member executes, so that the processing unit executes following process:
After detecting attack traffic, the size of the attack traffic is determined;
It is determined according to the size of the attack traffic and the protective capacities of safeguard and the attack traffic is carried out clearly The safeguard washed, wherein the safeguard includes local network safeguard and cloud network safeguard, the protection The protective capacities of equipment indicates the ability that the safeguard protects attack traffic and cleans;
The attack traffic is drawn to determining safeguard.
In one possible implementation, the processing unit is specifically used for:
It is judged whether there is according to the protective capacities of the size of the attack traffic and safeguard and meets cleaning condition Local network safeguard;
If so, then selecting at least one local network to protect from the local network safeguard for meeting cleaning condition Equipment is as the safeguard cleaned to the attack traffic;
Otherwise, at least one cloud network safeguard is selected from the cloud network safeguard for meeting the cleaning condition As the safeguard cleaned to the attack traffic.
In one possible implementation, the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protection of safeguard The protection parameter that ability determines is less than protective capacities utilization rate threshold value, and the cleaning parameters determined by the protective capacities of safeguard Less than cleaning peak threshold.
In one possible implementation, the processing unit is also used to:
Prevention policies synchronic command periodically is sent to the safeguard of the determination, so that the local network protects The shared of prevention policies is carried out between equipment and cloud network safeguard.
Fourth aspect, the embodiment of the present invention also provide a kind of equipment of flow cleaning, which includes: at least one processing Unit and at least one storage unit, wherein the storage unit is stored with program code, when said program code is described When processing unit executes, so that the processing unit executes following process:
Receive the attack traffic drawn by Network Traffic Monitoring equipment;
The attack traffic is cleaned;
Wherein, the attack traffic is size and protection of the Network Traffic Monitoring equipment according to the attack traffic The protective capacities of equipment, which is determined, carries out cleaning rear haulage to the cloud net to the attack traffic by cloud network safeguard Network safeguard, the safeguard includes local network safeguard and cloud network safeguard, the safeguard Protective capacities indicate the ability that the safeguard protects attack traffic and cleans.
In one possible implementation, the processing unit is specifically used for:
Prevention policies corresponding with the target of attack IP address of the attack traffic are selected in prevention policies set;
The attack traffic is cleaned according to the prevention policies.
In one possible implementation, the processing unit is also used to:
Before selecting prevention policies corresponding with the target of attack IP address of the attack traffic in prevention policies set, The prevention policies that the local network safeguard is sent are received, and the prevention policies are added to the prevention policies collection It closes.
5th aspect, the embodiment of the present invention also provide a kind of equipment of flow cleaning, which includes: uninterrupted detection Module, safeguard selecting module and flow lead module:
Uninterrupted detection module, for after detecting attack traffic, determining the size of the attack traffic;
Safeguard selecting module, for being determined according to the size of the attack traffic and the protective capacities of safeguard To the safeguard that the attack traffic is cleaned, wherein the safeguard includes local network safeguard and cloud net Network safeguard, the protective capacities of the safeguard indicate the energy that the safeguard protects attack traffic and cleans Power;
Flow lead module, for drawing the attack traffic to determining safeguard.
In one possible implementation, the safeguard selecting module is specifically used for:
It is judged whether there is according to the protective capacities of the size of the attack traffic and safeguard and meets cleaning condition Local network safeguard;
If so, then selecting at least one local network to protect from the local network safeguard for meeting cleaning condition Equipment is as the safeguard cleaned to the attack traffic;
Otherwise, at least one cloud network safeguard is selected from the cloud network safeguard for meeting the cleaning condition As the safeguard cleaned to the attack traffic.
In one possible implementation, the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protection of safeguard The protection parameter that ability determines is less than protective capacities utilization rate threshold value, and the cleaning parameters determined by the protective capacities of safeguard Less than cleaning peak threshold.
In one possible implementation, the flow lead module is also used to:
Prevention policies synchronic command periodically is sent to the safeguard of the determination, so that the local network protects The shared of prevention policies is carried out between equipment and cloud network safeguard.
6th aspect, the embodiment of the present invention also provide a kind of equipment of flow cleaning, which includes: receiving module and stream Measure cleaning module:
Receiving module: the attack traffic drawn by Network Traffic Monitoring equipment is received;
Flow cleaning module: for being cleaned to the attack traffic;
Wherein, the attack traffic is size and protection of the Network Traffic Monitoring equipment according to the attack traffic The protective capacities of equipment, which is determined, carries out cleaning rear haulage to the cloud net to the attack traffic by cloud network safeguard Network safeguard, the safeguard includes local network safeguard and cloud network safeguard, the safeguard Protective capacities indicate the ability that the safeguard protects attack traffic and cleans.
In one possible implementation, the flow cleaning module is specifically used for:
Prevention policies corresponding with the target of attack IP address of the attack traffic are selected in prevention policies set;
The attack traffic is cleaned according to the prevention policies.
In one possible implementation, the receiving module is also used to:
Before selecting prevention policies corresponding with the target of attack IP address of the attack traffic in prevention policies set, The prevention policies that the local network safeguard is sent are received, and the prevention policies are added to the prevention policies collection It closes.
7th aspect, the application also provide a kind of computer storage medium, are stored thereon with computer program, the program quilt The step of first aspect the method is realized when processing unit executes.
In addition, second aspect technical effect brought by any implementation into the 6th aspect can be found in first party Technical effect brought by different implementations in face, second aspect, details are not described herein again.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill in field, without any creative labor, it can also be obtained according to these attached drawings His attached drawing.
Fig. 1 is a kind of system schematic of flow cleaning provided in an embodiment of the present invention;
Fig. 2A is a kind of flow cleaning schematic device provided in an embodiment of the present invention;
Fig. 2 B is that a kind of module provided in an embodiment of the present invention divides schematic diagram;
Fig. 2 C is that another module provided in an embodiment of the present invention divides schematic diagram;
Fig. 3 A is a kind of network topology schematic diagram of flow cleaning device provided in an embodiment of the present invention;
Fig. 3 B is a kind of Network Traffic Monitoring module implementation procedure schematic diagram provided in an embodiment of the present invention;
Fig. 4 is a kind of method schematic diagram of flow cleaning provided in an embodiment of the present invention;
Fig. 5 is the method schematic diagram of another flow cleaning provided in an embodiment of the present invention;
Fig. 6 is a kind of complete method schematic diagram of flow cleaning provided in an embodiment of the present invention;
Fig. 7 is the complete method schematic diagram of another flow cleaning provided in an embodiment of the present invention;
Fig. 8 is the first Network Traffic Monitoring equipment schematic diagram provided in an embodiment of the present invention;
Fig. 9 is the first cloud network safeguard schematic diagram provided in an embodiment of the present invention;
Figure 10 is second of Network Traffic Monitoring equipment schematic diagram provided in an embodiment of the present invention;
Figure 11 is second of cloud network safeguard schematic diagram provided in an embodiment of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention make into It is described in detail to one step, it is clear that the described embodiments are only some of the embodiments of the present invention, rather than whole implementation Example.Based on the embodiments of the present invention, obtained by those of ordinary skill in the art without making creative efforts All other embodiment, shall fall within the protection scope of the present invention.
The some words occurred in text are explained below:
1, term "and/or" in the embodiment of the present invention describes the incidence relation of affiliated partner, indicates that there may be three kinds of passes System, for example, A and/or B, can indicate: individualism A exists simultaneously A and B, these three situations of individualism B.Character "/" one As indicate forward-backward correlation object be a kind of "or" relationship.
2, term " attack traffic " Network Attack in the embodiment of the present invention is the data flow that network attack generates, net Network attack (Cyberattack is also translated into the rich attack of match) refers to for computer information system, infrastructure, computer network Or PC device, any kind of attack movement.In computer and computer network, destroy, disclose, modifying, The data for making software or service lose function, in the case where no authorized steal or access any computer, all can It is considered as the attack in computer and computer network.
The application scenarios of description of the embodiment of the present invention are the technical solutions in order to more clearly illustrate the embodiment of the present invention, The restriction for technical solution provided in an embodiment of the present invention is not constituted, those of ordinary skill in the art are it is found that with newly answering With the appearance of scene, technical solution provided in an embodiment of the present invention is equally applicable for similar technical problem.Wherein, at this In the description of invention, unless otherwise indicated, the meaning of " plurality " is two or more.
Flow lead technology is proposed to defend Large Scale DDoS Attack and avoid Single Point of Faliure problem.It is initially anti- Imperial ddos attack is completed by the anti-DDoS module on firewall.However, even if outstanding firewall product again, above The defence capability of anti-DDoS module is all weaker.Therefore, in order to improve the defence capability of ddos attack, arrangement is special in a network Equipment for defending DDoS (Distributed Denial of Service) attacks.Assuming that a certain server in network, by ddos attack, flow lead technology is exactly will The flow lead of the server is sent into network dedicated for the equipment of defending DDoS (Distributed Denial of Service) attacks, remaining normal discharge is according to original The forward-path come is transmitted.
Wherein, the equipment in network dedicated for defending DDoS (Distributed Denial of Service) attacks is also known as flow cleaning equipment.Flow cleaning equipment Major function is traction, cleaning and re-injection.Traction, which refers to, is forwarded to stream for the flow for being sent to server by ddos attack Measure cleaning equipment;Cleaning refer to flow cleaning equipment by the flow received containing the traffic interception of ddos attack;Re-injection is Refer to that normal discharge by after the traffic interception containing ddos attack, is forwarded back to router by flow cleaning equipment again.
In the prior art, attack traffic is cleaned and is mainly returned by flow detection, flow lead, flow cleaning, flow 4 stages of note, such as:
1) flow detection: can detect specified flow by modes such as mirror image, light splitting and be detected, and detect whether as attack Flow.
2) flow lead: after detecting attack traffic, pass through BGP (Border Gateway Protocol, borde gateway Agreement) modes such as dynamic routing protocol need to customer flow to be protected be drawn in flow cleaning equipment and protected.
3) flow cleaning: flow cleaning equipment carries out attack recognition after receiving the flow that traction comes, using profession DDoS guard technology carries out flow cleaning to attack message.
4) flow re-injection: after completing cleaning, the normal discharge after cleaning is recycled into user network by flow cleaning equipment.
Therefore the embodiment of the present invention proposes a kind of intelligent flow cleaning scheme, can be according to attack type and attack traffic Size and the remaining protective capacities of protection module intelligently carry out flow cleaning, accomplish intelligent protection.Compared with prior art, this hair The bright effective use for realizing cleaning resource, in local protection module ability abundance using local cleaning resource, when local clear It is protected when washing inadequate resource to deal with using cloud resource;
For above-mentioned scene, the embodiment of the present invention is described in further detail with reference to the accompanying drawings of the specification.
As shown in Figure 1, the method for the flow cleaning of the embodiment of the present invention, system includes: 10 He of Network Traffic Monitoring equipment Cloud network safeguard 20.
Network Traffic Monitoring equipment 10, for after detecting attack traffic, determining the size of the attack traffic;Root Determine that the protection cleaned to the attack traffic is set according to the size of the attack traffic and the protective capacities of safeguard It is standby, wherein the safeguard includes local network safeguard and cloud network safeguard, the protection of the safeguard Ability indicates the ability that the safeguard protects attack traffic and cleans;The attack traffic is drawn to determining Safeguard.
Cloud network safeguard 20, for receiving the attack traffic drawn by Network Traffic Monitoring equipment;It is attacked to described Flow is hit to be cleaned;
Wherein, the attack traffic is size and protection of the Network Traffic Monitoring equipment according to the attack traffic The protective capacities of equipment, which is determined, carries out cleaning rear haulage to the cloud net to the attack traffic by cloud network safeguard Network safeguard, the safeguard includes local network safeguard and cloud network safeguard, the safeguard Protective capacities indicate the ability that the safeguard protects attack traffic and cleans.
Through the above scheme, since safeguard of the present invention includes that local network safeguard and cloud network protection are set It is standby, it can be set according to the protection that attack traffic is cleaned in the size of attack traffic and the protective capacities selection of safeguard It is standby, the selection of intelligent network protection module is carried out by Network Traffic Monitoring equipment, to being set separately through network protection Standby or cloud safeguard protects attack traffic, compared to the scheme cleaned separately through local or cloud, The cleaning resource in local and cloud is more efficiently utilized, and with the increase etc. of safeguard wash number, protection is set Standby protective capacities and cleaning ability can gradually change, and the size and protection of attack traffic are considered when selecting safeguard The ability that equipment is protected attack traffic and cleaned, the safeguard cleaned to the attack traffic selected is more It is excellent, therefore cleaning effect is more preferably.
In embodiments of the present invention, Network Traffic Monitoring equipment real time monitoring network flow, when detecting attack traffic, The then safeguard that decision cleans attack traffic.
In embodiments of the present invention, Network Traffic Monitoring equipment, cloud network safeguard and local network safeguard Number be respectively at least one, such as a Network Traffic Monitoring equipment, a cloud network safeguard, a local network Network safeguard.
Optionally, it is based on above content, the embodiment of the present invention provides a kind of device of attack traffic cleaning, including network flow Monitoring modular 200 is measured, local network protection module 201, cloud network protection module 202, as shown in Figure 2 A, one of them is local Network protection module can only include a local network safeguard, also may include multiple local network safeguards, cloud It holds network protection module also identical, can only include a cloud network safeguard, it is anti-also to may include multiple cloud networks Equipment is protected, furthermore the number of Network Traffic Monitoring module, local network protection module and cloud network protection module is also respectively At least one.
Wherein, local network protection module is deployed in local network inlet, for disengaging local network flow into Row cleaning, the general capacity that cleans is in the order of magnitude of tens Gbps.
Network Traffic Monitoring module is used to monitor the flow of local network ingress router or switching equipment, receives multiple nets The message of network protection module, and the flow lead strategy based on safeguard protective capacities is configured, detecting attack traffic When, calculate the protection parameter and cleaning parameters of each network protection module in real time, according to circumstances determine be directly to router or Switching equipment sends traction routing, and attack traffic is drawn to local network protection module and is cleaned;Or it is drawn in routing Mode under, to upper layer Network Traffic Monitoring module (Network Traffic Monitoring module corresponding with cloud) send notice, by upper The Network Traffic Monitoring module of layer triggers flow lead to the cloud network protection module on upper layer;Or the case where DNS is drawn Under, by sending traction notice to DNS configuration server, it is anti-to cloud network that flow is drawn by way of modifying DNS entry Protect module.Simultaneously from local network protection module to cloud network protection module it is shared include attacked IP, the traction retention time, The attack type detected, the prevention policies information attacked including prevention policies used, network protection module is drawn beyond the clouds Attack type, the prevention policies sent while attacked the attack traffic of IP according to local network protection module carry out intelligently Prevention policies optimization, accomplish local and cloud linkage, more efficiently and intelligently carry out flow cleaning.
Specifically, Network Traffic Monitoring equipment is according to the size of attack traffic and determining pair of the protective capacities of safeguard The detailed process for the safeguard that attack traffic is cleaned is as follows:
Network Traffic Monitoring equipment judges whether there is full according to the size of attack traffic and the protective capacities of safeguard The local network safeguard of sufficient cleaning condition;If so, then Network Traffic Monitoring equipment is from the local network for meeting cleaning condition Network safeguard selects at least one local network safeguard as the safeguard cleaned to attack traffic;Otherwise, Network Traffic Monitoring equipment selects at least one cloud network safeguard from the cloud network safeguard for meeting cleaning condition As the safeguard cleaned to attack traffic.
Wherein, cleaning condition are as follows:
The size of attack traffic protects flow threshold no more than the maximum of safeguard, and by the protective capacities of safeguard Determining protection parameter is less than protective capacities utilization rate threshold value, and is less than by the cleaning parameters that the protective capacities of safeguard determines Clean peak threshold.
For example, Network Traffic Monitoring equipment detects that size is the attack traffic of 10Gbps, 4 safeguards are shared, point Not Wei local network safeguard A, local network safeguard B, cloud network safeguard C, cloud network safeguard D, Wherein Network Traffic Monitoring equipment can receive the protective capacities that each safeguard reports, or according on each safeguard The protective capacities index of report calculates the protective capacities of each safeguard.
Assuming that cleaning peak threshold is 90%, protective capacities utilization rate threshold value is 80%, local network safeguard A is most Big protection flow threshold is 10Gbps, and the maximum protection flow threshold of local network safeguard B is 15Gbps, and cloud network is anti- The maximum protection flow threshold for protecting equipment A is 30Gbps, and the maximum protection flow threshold of cloud network safeguard B is 50Gbps, the protection parameter and cleaning parameters of this 4 safeguards are all 0, and Network Traffic Monitoring equipment is by judging that determination has Meet the local network safeguard of cleaning condition, is local network safeguard A and local network safeguard B, then from this Select at least one as being cleaned to this attack traffic in ground network safeguard A and local network safeguard B Safeguard.
If the attack traffic size that Network Traffic Monitoring equipment detects is 20Gbps, do not meet cleaning condition at this time Local network safeguard, thus Network Traffic Monitoring equipment selected in the cloud network safeguard for meeting cleaning condition to Few one as the safeguard cleaned to the attack traffic, it is assumed that the cloud network safeguard for meeting cleaning condition is Cloud network safeguard A and cloud network safeguard B then selects at least one i.e. in network protection equipment A and B beyond the clouds It can.
In embodiments of the present invention, intelligentized network protection module is carried out by Network Traffic Monitoring module to select, It is directly cleaned locally when local network protection module resource abundance;When being more than local protective capacities, it is switched to more The cloud network protection module of ability realizes the effective use of cleaning resource.
In embodiments of the present invention, before being cleaned by cloud network safeguard to attack traffic, cloud network Safeguard receives the attack traffic drawn by Network Traffic Monitoring equipment;
Wherein, attack traffic is Network Traffic Monitoring equipment according to the size of attack traffic and the protection energy of safeguard Power, which is determined, carries out cleaning rear haulage to cloud network safeguard, safeguard to attack traffic by cloud network safeguard Including local network safeguard and cloud network safeguard, the protective capacities of safeguard indicates safeguard to attack stream Measure the ability protected and cleaned.
In embodiments of the present invention, network protection module is divided into local and cloud for cleaning to Network Attack End optionally can carry out more careful division to local (or cloud) protection module, and there are many kinds of division modes, below Enumerate two kinds:
Division mode one is divided by function;
For example, local and/or cloud network protection module are divided into anti-DDoS module, anti-CC (Challenge Collapsar) module, WAF (Web Application Firewall, website application layer intrusion prevention system) protection module Deng as shown in Figure 2 B.
Division mode two presses customized protection regular partition;
For example, public protection module and customized protection module are divided into, wherein customized protection module can be used for solving The special protection requirements of some customization as shown in Figure 2 C divide local (cloud) network protection module for 3 modules, Respectively public protection module, customized protection module 1, customized protection module 2.
It should be noted that cited division mode is merely illustrative in embodiments of the present invention, it is any right The mode that local and/or cloud network protection module are divided is suitable for the embodiment of the present invention.
In embodiments of the present invention, the protective capacities of network protection module can protective capacities index table as shown in Table 1 Show, including attack peak flow, the attack concurrent connection number, CPU, memory etc. that can be protected, local network protection module it is total Protective capacities is lower than cloud network protection module.
Parametric classification Score value Weight It summarizes
CPU S1 α CPU frequency, nucleus number, cache size, utilization rate
Memory S2 β Memory size, utilization rate
Clean flow S3 γ Protection module cleans total flow
Attack concurrent total connection number S4 δ Protection module has total connection number
1 protective capacities indicator-specific statistics table of table
The protective capacities score value of network protection modules A 1 is then calculated by following equation:
C1=α * S1 (A1)+β * S2 (A1)+γ * S3 (A1)+δ * S4 (A1)
Assuming that C1totalIndicate total score, i.e. initial value (point when the concurrent total connection number of network protection module attack is 0 Value), total score C1total=100, it can adjust the score value (i.e. weight) of each parameter score value and weighting coefficient according to the actual situation, it is ensured that Initial total score is all 100, and with the variation of the parameters such as the concurrent total connection number of network protection module attack, score value can gradually be lower than 100 points, i.e. C1 can be gradually reduced with the access times of network protection module.
In embodiments of the present invention, protection parameter is determined according to the protective capacities of safeguard, network protection module Protection parameter be then by the network protection module all safeguards total protective capacities determine.It optionally, can be with Using the protective capacities utilization rate of network protection module as protection parameter.
For example, indicating the protective capacities utilization rate of network protection modules A 1 with R1:
R1Protective capacities=1-C1used/100
Wherein, C1usedIndicate the variation with network protection modules A 1 with parameters such as the concurrent total connection numbers of attack, again The protective capacities score value of calculated network protection modules A 1, C1 under original stateused=C1total=100;R1 is said closer to 1 The load of bright network protection module is higher, closer to saturation.
Simultaneously, it is contemplated that attack traffic is an important indicator, therefore definition cleaning utilization rate in embodiments of the present invention (i.e. cleaning parameters), cleaning parameters are equal to the ratio of used cleaning capacity and total cleaning capacity, R1Clean capacity=S3 (A1)used/S3(A1)total
In embodiments of the present invention, when in network protection module including multiple safeguards, S3 (A1)usedThen indicating should The total score of all used cleaning capacity of safeguard, S3 (A1) in network protection moduletotalI.e. all safeguards are clear Wash the total score of capacity.
For example, including two safeguards in network protection modules A 1, it is respectively as follows: safeguard b1, safeguard b2, example Such as, the cleaning capacity score value of safeguard b1 and b2 is respectively 100, then total cleaning capacity score value is the used cleaning of 200, b1 The score value that capacity is 50% is that the score value of the used cleaning capacity of 50, b2 is 50, then the used cleaning capacity of b1 and b2 Total score is 100, i.e. S3used=100, S3total=200, shown R1Clean capacity=S3 (A1)used/S3(A1)total=50%.
In embodiments of the present invention, when in network protection module including multiple safeguards, C1used、C1totalCalculating Mode and S3 (A1)used、S3(A1)totalCalculation be same principle.That is C1usedIt then indicates in the network protection module The total score of all used protective capacities of safeguard, C1totalThe total score of i.e. all safeguard protective capacities.
In embodiments of the present invention, network protection module is periodically each shown in report 1 in Network Traffic Monitoring module The current value of a parameter is calculated the protection parameter of each network protection module by Network Traffic Monitoring module and cleaning is joined Number.
For example, report cycle is T, the parameters current value that network protection modules A 1 reports at the t=T moment are as follows: S1= 85, S2=86, S3=87, S4=88;In the parameters current value that the t=2T moment reports are as follows: S1=75, S2=74, S3= 73, S4=72.
After Network Traffic Monitoring module detects attack traffic, Network Traffic Monitoring module can consider existing simultaneously The protective capacities of attack traffic size and network protection module come determine to select which network protection module to attack traffic carry out Cleaning.
Optionally, Network Traffic Monitoring module, can also in the network protection module that decision cleans attack traffic To consider the attack type of attack traffic while considering the protective capacities of attack traffic size and network protection module, so as to Further select the network protection equipment for being more applicable for the attack type to realize more efficient protection, for example, attack stream When the type of amount is DDoS, then it can choose the anti-DDoS module in local or cloud and the attack traffic cleaned.
In embodiments of the present invention, cloud network protection module can be divided into two major classes according to mode of traction: one kind is more The backbone network on upper layer is realized by routing traction, such as the Special cleaning resource computer room of operator's construction;Another kind of is to pass through DNS (Domain Name System, domain name system) traction is realized, using the anti-computer room of height of internet manufacturer as representative.
As shown in Figure 3A, it is assumed that now with 2 Network Traffic Monitoring modules As and B, 3 network protection modules As, B1, B2, Wherein network protection modules A is local network protection module, and maximum protection flow threshold is 20Gbps, two cloud network protection The maximum protection flow threshold of module B1 and B2 are 100Gbps and 1Tbps respectively, and protective capacities utilization rate threshold value is 80%, clearly Peak threshold 90% is washed, wherein cloud network protection B2 is drawn by DNS mode.
It describes in detail below to the process of Network Traffic Monitoring module selection network protection module, as shown in Figure 3B:
Step 1:(initial phase) 3 network protection modules to 2 Network Traffic Monitoring modules send respective protection Capacity index;
Step 2: Network Traffic Monitoring modules A detects attack traffic (attack traffic size is 10Gbps at present), calculates It was found that protection parameter < 80% of local network protection module A, and cleaning parameters < 90%, directly select local network protection module A carries out flow cleaning, and continues to monitor attack traffic;
Step 3: Network Traffic Monitoring modules A detects attack traffic 10Gbps again, and local network protection module A's is anti- Protecting parameter is more than 80%, and the protection parameter of two cloud network protection modules and cleaning parameters are respectively less than corresponding threshold value, excellent The small protection module B1 of first selection cleaning capacity is cleaned, and is sent traction instruction and is given flow monitoring module B, by flow monitoring mould Block B initiates flow lead, is saving dry traction flow to cloud network protection module B1, and continue to monitor attack traffic;
Step 4: Network Traffic Monitoring module B detects attack traffic 90Gbps, the cleaning of cloud network protection module B1 Parameter reaches 90%, and the protection parameter of cloud network protection module B2 and cleaning parameters are respectively less than corresponding threshold value, and transmission is led Draw instruction to DNS configuration server, flow lead to cloud network protection module B2 is carried out clearly in such a way that DNS is drawn It washes.
In embodiments of the present invention, threshold value and step in being described above can be according to circumstances adjusted, practical feelings Condition is possible to directly skip step 2,3, cloud network protection module may also be all based on routing traction or DNS traction.
Optionally, Network Traffic Monitoring module can be synchronous by prevention policies while drawing to attack traffic Instruction triggers local network protection module and cloud network protection module share prevention policies information, realize more efficiently flow Cleaning.
For example, Network Traffic Monitoring module is when drawing attack traffic or periodically to local and/or cloud network Protection module sends prevention policies synchronic command, so that sharing prevention policies between cloud network protection module local and at different levels.
Optionally, cloud network protection module will protect plan after receiving the prevention policies that local network protection module is sent Slightly it is added in prevention policies set, is selected in prevention policies set corresponding with the target of attack IP address of attack traffic anti- Shield strategy, cleans attack traffic according to the prevention policies selected.
For example, the prevention policies of cloud network protection module 1 itself are prevention policies 1, the cloud network protection module is first 2 shared prevention policies of local network protection module 1, respectively prevention policies 2, prevention policies 3 are received afterwards, and local The shared prevention policies 4 of network protection module 2, and this 3 prevention policies are added in prevention policies set, network flow prison After attack traffic is drawn to cloud network protection module 1 by survey module, cloud network protection module 1 selects in prevention policies set It is corresponding with the target ip address of the attack traffic 2 prevention policies are selected out, respectively prevention policies 2 and prevention policies 4, in cloud When end network protection module 1 cleans attack traffic according to the prevention policies selected, according to prevention policies 2 or it can prevent Tactful 4 pairs of attack traffics are protected to clean, it can also be according to prevention policies 2 and/or prevention policies 4, in conjunction with the reality of attack traffic Border situation optimizes the prevention policies 1 of the module itself, is carried out using the prevention policies 1 after optimization to attack traffic clear It washes.
Optionally, after network protection module cleans attack traffic beyond the clouds, cloud network protection module can be with Prevention policies 1 after optimization are shared into local network protection module so that local network protection module according to receive by The prevention policies that cloud network protection module is sent, optimize the prevention policies of local network protection module itself, realize The mutual study of prevention policies between cloud and local network protection module.
It should be noted that cloud network protection module cited in the embodiment of the present invention is according in prevention policies set The mode that prevention policies corresponding with the target ip address of attack traffic clean attack traffic is merely illustrative, any The mode that a kind of corresponding prevention policies of target ip address according to attack traffic clean attack traffic is suitable for this Inventive embodiments.
As shown in figure 4, provided in an embodiment of the present invention is a kind of method of flow cleaning, specifically includes the following steps:
Step 400, Network Traffic Monitoring equipment determine the size of the attack traffic after detecting attack traffic;
Step 401, the Network Traffic Monitoring equipment are according to the size of the attack traffic and the protection of safeguard Ability determines the safeguard cleaned to the attack traffic, wherein the safeguard includes local network safeguard With cloud network safeguard, the protective capacities of the safeguard indicate the safeguard to attack traffic carry out protection and The ability of cleaning;
Step 402, the Network Traffic Monitoring equipment draw the attack traffic to determining safeguard.
Optionally, the Network Traffic Monitoring equipment is according to the size of the attack traffic and the protection energy of safeguard Power determines the safeguard cleaned to the attack traffic, comprising:
The Network Traffic Monitoring equipment judges according to the size of the attack traffic and the protective capacities of safeguard Whether the local network safeguard that meets cleaning condition is had;
If so, then the Network Traffic Monitoring equipment is selected from the local network safeguard for meeting cleaning condition At least one local network safeguard is as the safeguard cleaned to the attack traffic;
Otherwise, the Network Traffic Monitoring equipment selects at least from the cloud network safeguard for meeting the cleaning condition One cloud network safeguard is as the safeguard cleaned to the attack traffic.
Optionally, the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protection of safeguard The protection parameter that ability determines is less than protective capacities utilization rate threshold value, and the cleaning parameters determined by the protective capacities of safeguard Less than cleaning peak threshold.
Optionally, the method also includes:
The Network Traffic Monitoring device periodically sends prevention policies synchronic command to the safeguard of the determination, So as to carry out the shared of prevention policies between the local network safeguard and cloud network safeguard.
As shown in figure 5, provided in an embodiment of the present invention is a kind of method of flow cleaning, specifically includes the following steps:
Step 500, cloud network safeguard receive the attack traffic drawn by Network Traffic Monitoring equipment;
Step 501, the cloud network safeguard clean the attack traffic;
Wherein, the attack traffic is size and protection of the Network Traffic Monitoring equipment according to the attack traffic The protective capacities of equipment, which is determined, carries out cleaning rear haulage to the cloud to the attack traffic by the cloud network safeguard Network protection equipment is held, the safeguard includes local network safeguard and cloud network safeguard, the protection The protective capacities of equipment indicates the ability that the safeguard protects attack traffic and cleans.
Optionally, the cloud network safeguard cleans the attack traffic, comprising:
The cloud network safeguard is selected with the target of attack IP of the attack traffic in prevention policies set The corresponding prevention policies in location;
The cloud network safeguard cleans the attack traffic according to the prevention policies.
Optionally, the cloud network safeguard selects and the attack mesh of the attack traffic in prevention policies set Before the corresponding prevention policies of mark IP address, further includes:
The cloud network safeguard receives the prevention policies that the local network safeguard is sent, and will be described anti- Shield strategy is added to the prevention policies set.
Below for by a Network Traffic Monitoring module, a local network protection module and a cloud network protection The system of module composition lists two specific embodiments and the method for attack flow cleaning is described in detail.
Embodiment one:
Assuming that attack traffic is smaller at the beginning, less than the maximum protection flow threshold of local network protection module, drawn To local network protection module, the maximum protection flow threshold more than local network protection module is increased in attack process Value, therefore the traction of traction to cloud network protection module is triggered, and flow is gone into server by former link, and in local network Prevention policies are shared between network protection module and cloud network protection module, as shown in fig. 6, detailed process is as follows:
Step 600, Network Traffic Monitoring module detect the attack traffic for target ip address (s), pass through inside stream Amount analysis module analyzes and determines that triggering routing is drawn to local network protection module and carries out flow cleaning;
Step 601, local network protection module carry out flow cleaning according to local prevention policies, are passed back to after the completion of cleaning Former server;
Step 602, Network Traffic Monitoring module detect that attack traffic peak value size has been more than local network protection module Maximum protection flow threshold, be triggered to cloud network protection module and protected, while being sent to local network protection module Prevention policies synchronic command;
Step 603, local network protection module receive the prevention policies synchronic command of Network Traffic Monitoring module, band The prevention policies of the information such as target of attack IP address (s) are synchronized to cloud network protection module;
Step 604, cloud network protection module combine local prevention policies and actual attack flow analysis to optimize itself Prevention policies carry out cleaning operation to flow, and periodically corresponding local network protection module carries out with destination IP (s) Prevention policies are shared;
After step 605, cloud network protection module detect that attack stops, triggering flow returns to former destination IP (s).
Embodiment two:
Assuming that attack traffic has been more than the maximum protection flow threshold of local network protection module at the very start, therefore one opens Beginning attack traffic will be drawn to cloud network protection module, and cloud network protection module is learnt by oneself by analytical attack flow The prevention policies for practising optimization itself clean attack traffic, and the prevention policies after optimization are synchronized back local network and are prevented Module is protected, the certain time after attack stops, flow goes to server by former link, as shown in fig. 7, detailed process is as follows:
Step 700, Network Traffic Monitoring module analyze external flow in real time, attack traffic are detected, by interior Portion's flow analysis module analysis judges that attack traffic peak value is more than the maximum protection flow threshold of local network protection module, triggering The traction of cloud network protection module;
Step 701, Network Traffic Monitoring module draw attack traffic to cloud network protection module;
Step 702, cloud network protection module carry out cleaning operation to flow by the prevention policies of itself, and detect Attack stops, and triggering flow returns to former destination IP (s);
Step 703, cloud network protection module receive the prevention policies synchronic command that Network Traffic Monitoring module is sent, and The corresponding local network protection module of the destination IP (s) of attack traffic carries out prevention policies sharing.
In embodiments of the present invention, for the cloud network protection module of different traction models, flow lead and stream are carried out It is different to measure injected mode, for step 602 or step 701, divides following two situation:
Situation one, the cloud network protection module for routing traction model:
Network Traffic Monitoring module sends traction notice to the backbone routers on upper layer, and triggering routing traction is by attack mesh IP address flow is marked to cloud network protection module.
Situation two, the cloud network protection module for DNS traction model:
Network Traffic Monitoring module, which is sent, to be had by the information including target of attack IP address, domain name, service port to cloud Hold network protection module, the anti-IP of the corresponding height of cloud network protection module return and CNAME (Canonical NAME, canonical name Word) corresponding dns server is given, the modification of DNS record is completed, to complete DNS traction by attack destination IP (s) flow to cloud Hold network protection module.
For step 605 or step 702, also divide following two situation;
Situation one, the cloud network protection module for routing traction model:
It is discharged automatically after traction routes retention period, it is assumed that pull-in time t, then in network monitor equipment by attack stream After amount traction to cloud network safeguard t time, flow is discharged automatically.
Situation two, the cloud network protection module for DNS traction model:
DNS switchback is sent by cloud network protection module to notify to complete corresponding destination IP (s) flow to dns server Switching.
Based on identical inventive concept, a kind of Network Traffic Monitoring equipment is additionally provided in the embodiment of the present invention, due to this Network Traffic Monitoring equipment is the Network Traffic Monitoring equipment in the method in the embodiment of the present invention, and the network flow is supervised The principle that measurement equipment solves the problems, such as is similar to this method, therefore the implementation of the Network Traffic Monitoring equipment may refer to the reality of method It applies, overlaps will not be repeated.
As shown in figure 8, the embodiment of the present invention also provides a kind of Network Traffic Monitoring equipment, which includes: at least one Processing unit 800 and at least one storage unit 801, wherein the storage unit 801 is stored with program code, when described When program code is executed by the processing unit 800, so that equipment executes following process:
After detecting attack traffic, the size of the attack traffic is determined;
It is determined according to the size of the attack traffic and the protective capacities of safeguard and the attack traffic is carried out clearly The safeguard washed, wherein the safeguard includes local network safeguard and cloud network safeguard, the protection The protective capacities of equipment indicates the ability that the safeguard protects attack traffic and cleans;
The attack traffic is drawn to determining safeguard.
Optionally, the processing unit 800 is specifically used for:
It is judged whether there is according to the protective capacities of the size of the attack traffic and safeguard and meets cleaning condition Local network safeguard;
If so, then selecting at least one local network to protect from the local network safeguard for meeting cleaning condition Equipment is as the safeguard cleaned to the attack traffic;
Otherwise, at least one cloud network safeguard is selected from the cloud network safeguard for meeting the cleaning condition As the safeguard cleaned to the attack traffic.
Optionally, the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protection of safeguard The protection parameter that ability determines is less than protective capacities utilization rate threshold value, and the cleaning parameters determined by the protective capacities of safeguard Less than cleaning peak threshold.
Optionally, the processing unit 800 is also used to:
Prevention policies synchronic command periodically is sent to the safeguard of the determination, so that the local network protects The shared of prevention policies is carried out between equipment and cloud network safeguard.
Based on identical inventive concept, a kind of cloud network safeguard is additionally provided in the embodiment of the present invention, due to this Cloud network safeguard is the cloud network safeguard in the method in the embodiment of the present invention, and the cloud network is anti- The principle that shield equipment solves the problems, such as is similar to this method, therefore the implementation of the cloud network safeguard may refer to the reality of method It applies, overlaps will not be repeated.
As shown in figure 9, the embodiment of the present invention also provides a kind of cloud network safeguard, which includes: at least one Processing unit 900 and at least one storage unit 901, wherein the storage unit 901 is stored with program code, when described When program code is executed by the processing unit 900, so that equipment executes following process:
Receive the attack traffic drawn by Network Traffic Monitoring equipment;
The attack traffic is cleaned;
Wherein, the attack traffic is size and protection of the Network Traffic Monitoring equipment according to the attack traffic The protective capacities of equipment, which is determined, carries out cleaning rear haulage to the cloud net to the attack traffic by cloud network safeguard Network safeguard, the safeguard includes local network safeguard and cloud network safeguard, the safeguard Protective capacities indicate the ability that the safeguard protects attack traffic and cleans.
Optionally, the processing unit 900 is specifically used for:
Prevention policies corresponding with the target of attack IP address of the attack traffic are selected in prevention policies set;
The attack traffic is cleaned according to the prevention policies.
Optionally, the processing unit 900 is also used to:
Before selecting prevention policies corresponding with the target of attack IP address of the attack traffic in prevention policies set, The prevention policies that the local network safeguard is sent are received, and the prevention policies are added to the prevention policies collection It closes.
Based on identical inventive concept, a kind of Network Traffic Monitoring equipment is additionally provided in the embodiment of the present invention, due to this Network Traffic Monitoring equipment is the Network Traffic Monitoring equipment in the method in the embodiment of the present invention, and the network flow is supervised The principle that measurement equipment solves the problems, such as is similar to this method, therefore the implementation of the Network Traffic Monitoring equipment may refer to the reality of method It applies, overlaps will not be repeated.
As shown in Figure 10, the embodiment of the present invention also provides a kind of Network Traffic Monitoring equipment, which includes uninterrupted Detection module 1000, safeguard selecting module 1001 and flow lead module 1002:
Uninterrupted detection module 1000: for after detecting attack traffic, determining the size of the attack traffic;
Safeguard selecting module 1001: for according to the size of the attack traffic and the protective capacities of safeguard The safeguard cleaned to the attack traffic is determined, wherein the safeguard includes local network safeguard and cloud Network protection equipment is held, the protective capacities of the safeguard indicates that the safeguard is protected and cleaned to attack traffic Ability;
Flow lead module 1002: for drawing the attack traffic to determining safeguard.
Optionally, the safeguard selecting module 1001 is specifically used for:
It is judged whether there is according to the protective capacities of the size of the attack traffic and safeguard and meets cleaning condition Local network safeguard;
If so, then selecting at least one local network to protect from the local network safeguard for meeting cleaning condition Equipment is as the safeguard cleaned to the attack traffic;
Otherwise, at least one cloud network safeguard is selected from the cloud network safeguard for meeting the cleaning condition As the safeguard cleaned to the attack traffic.
Optionally, the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protection of safeguard The protection parameter that ability determines is less than protective capacities utilization rate threshold value, and the cleaning parameters determined by the protective capacities of safeguard Less than cleaning peak threshold.
Optionally, the flow lead module 1002 is also used to:
Prevention policies synchronic command periodically is sent to the safeguard of the determination, so that the local network protects The shared of prevention policies is carried out between equipment and cloud network safeguard.
Based on identical inventive concept, a kind of equipment of flow cleaning is additionally provided in the embodiment of the present invention, since this sets Standby is the equipment in method in the embodiment of the present invention, and the principle that the equipment solves the problems, such as is similar to this method, therefore The implementation of the equipment may refer to the implementation of method, and overlaps will not be repeated.
As shown in figure 11, the embodiment of the present invention also provides a kind of equipment of flow cleaning, which includes: receiving module 1100 and flow cleaning module 1101:
Receiving module 1100: for receiving the attack traffic drawn by Network Traffic Monitoring equipment;
Flow cleaning module 1101: for being cleaned to the attack traffic;
Wherein, the attack traffic is size and protection of the Network Traffic Monitoring equipment according to the attack traffic The protective capacities of equipment, which is determined, carries out cleaning rear haulage to the cloud net to the attack traffic by cloud network safeguard Network safeguard, the safeguard includes local network safeguard and cloud network safeguard, the safeguard Protective capacities indicate the ability that the safeguard protects attack traffic and cleans.
Optionally, the flow cleaning module 1101 is specifically used for:
Prevention policies corresponding with the target of attack IP address of the attack traffic are selected in prevention policies set;
The attack traffic is cleaned according to the prevention policies.
Optionally, the receiving module 1100 is also used to:
Before selecting prevention policies corresponding with the target of attack IP address of the attack traffic in prevention policies set, The prevention policies that the local network safeguard is sent are received, and the prevention policies are added to the prevention policies collection It closes.
The embodiment of the present invention also provides a kind of computer-readable non-volatile memory medium, including program code, when described For program code when running on computing terminal, said program code is for making the computing terminal execute the embodiments of the present invention The step of method of flow cleaning.
Above by reference to showing according to the method, apparatus (system) of the embodiment of the present application and/or the frame of computer program product Figure and/or flow chart describe the application.It should be understood that can realize that block diagram and or flow chart is shown by computer program instructions The conjunction of the block of a block and block diagram and or flow chart diagram for figure.These computer program instructions can be supplied to general Computer, the processor of special purpose computer and/or other programmable data processing units, to generate machine, so that via calculating The instruction that machine processor and/or other programmable data processing units execute creates for realizing in block diagram and or flow chart block The method of specified function action.
Correspondingly, the application can also be implemented with hardware and/or software (including firmware, resident software, microcode etc.).More Further, the application can take computer usable or the shape of the computer program product on computer readable storage medium Formula has the computer realized in the medium usable or computer readable program code, to be made by instruction execution system It is used with or in conjunction with instruction execution system.In the present context, computer can be used or computer-readable medium can be with It is arbitrary medium, may include, stores, communicates, transmits or transmit program, is made by instruction execution system, device or equipment With, or instruction execution system, device or equipment is combined to use.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to include these modifications and variations.

Claims (14)

1. a kind of method of flow cleaning, which is characterized in that this method comprises:
Network Traffic Monitoring equipment determines the size of the attack traffic after detecting attack traffic;
The Network Traffic Monitoring equipment is determined according to the size of the attack traffic and the protective capacities of safeguard to institute The safeguard that attack traffic is cleaned is stated, wherein the safeguard includes that local network safeguard and cloud network are anti- Equipment is protected, the protective capacities of the safeguard indicates the ability that the safeguard protects attack traffic and cleans;
The Network Traffic Monitoring equipment draws the attack traffic to determining safeguard.
2. the method as described in claim 1, which is characterized in that the Network Traffic Monitoring equipment is according to the attack traffic Size and the protective capacities of safeguard determine the safeguard cleaned to the attack traffic, comprising:
The Network Traffic Monitoring equipment judges whether according to the size of the attack traffic and the protective capacities of safeguard There is the local network safeguard for meeting cleaning condition;
If so, then the Network Traffic Monitoring equipment selects at least from the local network safeguard for meeting cleaning condition One local network safeguard is as the safeguard cleaned to the attack traffic;
Otherwise, the Network Traffic Monitoring equipment selects at least one from the cloud network safeguard for meeting the cleaning condition Cloud network safeguard is as the safeguard cleaned to the attack traffic.
3. method according to claim 2, which is characterized in that the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protective capacities of safeguard Determining protection parameter is less than protective capacities utilization rate threshold value, and is less than by the cleaning parameters that the protective capacities of safeguard determines Clean peak threshold.
4. the method as described in claim 1, which is characterized in that the method also includes:
The Network Traffic Monitoring device periodically sends prevention policies synchronic command to the safeguard of the determination, so that The shared of prevention policies is carried out between the local network safeguard and cloud network safeguard.
5. a kind of method of flow cleaning, which is characterized in that this method comprises:
Cloud network safeguard receives the attack traffic drawn by Network Traffic Monitoring equipment;
The cloud network safeguard cleans the attack traffic;
Wherein, the attack traffic is size and safeguard of the Network Traffic Monitoring equipment according to the attack traffic Protective capacities determine cleaning rear haulage carried out to the cloud net to the attack traffic by the cloud network safeguard Network safeguard, the safeguard includes local network safeguard and cloud network safeguard, the safeguard Protective capacities indicate the ability that the safeguard protects attack traffic and cleans.
6. method as claimed in claim 5, which is characterized in that the cloud network safeguard carries out the attack traffic Cleaning, comprising:
The cloud network safeguard selects and the target of attack Internet protocol of the attack traffic in prevention policies set The corresponding prevention policies of IP address;
The cloud network safeguard cleans the attack traffic according to the prevention policies.
7. method as claimed in claim 6, which is characterized in that the cloud network safeguard selects in prevention policies set Before selecting prevention policies corresponding with the target of attack IP address of the attack traffic, further includes:
The cloud network safeguard receives the prevention policies that the local network safeguard is sent, and by the protection plan Slightly it is added to the prevention policies set.
8. a kind of equipment of flow cleaning, which is characterized in that the equipment includes: at least one processing unit and at least one is deposited Storage unit, wherein the storage unit is stored with program code, when said program code is executed by the processing unit, makes It obtains the processing unit and executes following process:
After detecting attack traffic, the size of the attack traffic is determined;
The attack traffic is cleaned according to the size of the attack traffic and the determination of the protective capacities of safeguard Safeguard, wherein the safeguard includes local network safeguard and cloud network safeguard, the safeguard Protective capacities indicate the ability that the safeguard protects attack traffic and cleans;
The attack traffic is drawn to determining safeguard.
9. equipment as claimed in claim 8, which is characterized in that the processing unit is specifically used for:
The local for meeting cleaning condition is judged whether there is according to the protective capacities of the size of the attack traffic and safeguard Network protection equipment;
If so, then selecting at least one local network safeguard from the local network safeguard for meeting cleaning condition As the safeguard cleaned to the attack traffic;
Otherwise, from the cloud network safeguard for meeting the cleaning condition select at least one cloud network safeguard as The safeguard that the attack traffic is cleaned.
10. equipment as claimed in claim 9, which is characterized in that the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protective capacities of safeguard Determining protection parameter is less than protective capacities utilization rate threshold value, and is less than by the cleaning parameters that the protective capacities of safeguard determines Clean peak threshold.
11. equipment as claimed in claim 8, which is characterized in that the processing unit is also used to:
Prevention policies synchronic command periodically is sent to the safeguard of the determination, so that the local network safeguard The shared of prevention policies is carried out between cloud network safeguard.
12. a kind of equipment of flow cleaning, which is characterized in that the equipment include: at least one processing unit and at least one Storage unit, wherein the storage unit is stored with program code, when said program code is executed by the processing unit, So that the processing unit executes following process:
Receive the attack traffic drawn by Network Traffic Monitoring equipment;
The attack traffic is cleaned;
Wherein, the attack traffic is size and safeguard of the Network Traffic Monitoring equipment according to the attack traffic Protective capacities determine by cloud network safeguard to the attack traffic carry out cleaning rear haulage to the cloud network prevent Equipment is protected, the safeguard includes local network safeguard and cloud network safeguard, and the safeguard is prevented Shield ability indicates the ability that the safeguard protects attack traffic and cleans.
13. equipment as claimed in claim 12, which is characterized in that the processing unit is specifically used for:
Prevention policies corresponding with the target of attack IP address of the attack traffic are selected in prevention policies set;
The attack traffic is cleaned according to the prevention policies.
14. equipment as claimed in claim 13, which is characterized in that the processing unit is also used to:
Before selecting prevention policies corresponding with the target of attack IP address of the attack traffic in prevention policies set, receive The prevention policies that the local network safeguard is sent, and the prevention policies are added to the prevention policies set.
CN201910444437.7A 2019-05-27 2019-05-27 Method and equipment for cleaning flow Active CN110113435B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910444437.7A CN110113435B (en) 2019-05-27 2019-05-27 Method and equipment for cleaning flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910444437.7A CN110113435B (en) 2019-05-27 2019-05-27 Method and equipment for cleaning flow

Publications (2)

Publication Number Publication Date
CN110113435A true CN110113435A (en) 2019-08-09
CN110113435B CN110113435B (en) 2022-01-14

Family

ID=67492318

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910444437.7A Active CN110113435B (en) 2019-05-27 2019-05-27 Method and equipment for cleaning flow

Country Status (1)

Country Link
CN (1) CN110113435B (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110457137A (en) * 2019-08-16 2019-11-15 杭州安恒信息技术股份有限公司 Flow analytic method, device, electronic equipment and computer-readable medium
CN110798404A (en) * 2019-11-14 2020-02-14 北京首都在线科技股份有限公司 Method, device, equipment, storage medium and system for cleaning attack data
CN111131199A (en) * 2019-12-11 2020-05-08 中移(杭州)信息技术有限公司 Method, device, server and storage medium for controlling traffic cleaning of service attack
CN111224960A (en) * 2019-12-27 2020-06-02 北京天融信网络安全技术有限公司 Information processing method, information processing device, electronic equipment and storage medium
CN111385303A (en) * 2020-03-11 2020-07-07 江苏亨通工控安全研究院有限公司 Network security protection system and implementation method
CN111586018A (en) * 2020-04-29 2020-08-25 杭州迪普科技股份有限公司 Flow cleaning method and device
CN112073409A (en) * 2020-09-04 2020-12-11 杭州安恒信息技术股份有限公司 Attack flow cleaning method, device, equipment and computer readable storage medium
CN112615813A (en) * 2020-11-23 2021-04-06 杭州朗澈科技有限公司 Protection method and system for kubernets cluster application
CN113411351A (en) * 2021-06-07 2021-09-17 中国人民解放军空军工程大学 DDoS attack elastic defense method based on NFV and deep learning
CN113810348A (en) * 2020-06-17 2021-12-17 华为技术有限公司 Network security detection method, system, equipment and controller
CN113905058A (en) * 2021-10-18 2022-01-07 杭州安恒信息技术股份有限公司 WAF and DDoS high-protection-based protection method, device and medium
CN114124836A (en) * 2022-01-25 2022-03-01 北京天维信通科技有限公司 Flow cleaning system and cleaning method based on uCPE built-in cleaning software
CN114124744A (en) * 2021-11-24 2022-03-01 绿盟科技集团股份有限公司 Flow data display method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101299724A (en) * 2008-07-04 2008-11-05 杭州华三通信技术有限公司 Method, system and equipment for cleaning traffic
US9350710B2 (en) * 2014-06-20 2016-05-24 Zscaler, Inc. Intelligent, cloud-based global virtual private network systems and methods
CN107426230A (en) * 2017-08-03 2017-12-01 上海优刻得信息科技有限公司 Server scheduling method, apparatus, system, storage medium and equipment
CN108199958A (en) * 2017-12-29 2018-06-22 深信服科技股份有限公司 A kind of general secure resources pond service chaining realization method and system
CN109450841A (en) * 2018-09-03 2019-03-08 中新网络信息安全股份有限公司 A kind of Large Scale DDoS Attack detection and system of defense and defence method based on the on-demand linkage pattern of cloud+end equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101299724A (en) * 2008-07-04 2008-11-05 杭州华三通信技术有限公司 Method, system and equipment for cleaning traffic
US9350710B2 (en) * 2014-06-20 2016-05-24 Zscaler, Inc. Intelligent, cloud-based global virtual private network systems and methods
CN107426230A (en) * 2017-08-03 2017-12-01 上海优刻得信息科技有限公司 Server scheduling method, apparatus, system, storage medium and equipment
CN108199958A (en) * 2017-12-29 2018-06-22 深信服科技股份有限公司 A kind of general secure resources pond service chaining realization method and system
CN109450841A (en) * 2018-09-03 2019-03-08 中新网络信息安全股份有限公司 A kind of Large Scale DDoS Attack detection and system of defense and defence method based on the on-demand linkage pattern of cloud+end equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘晓锋: "基于告警机制的流量清洗管理系统的设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110457137A (en) * 2019-08-16 2019-11-15 杭州安恒信息技术股份有限公司 Flow analytic method, device, electronic equipment and computer-readable medium
CN110798404A (en) * 2019-11-14 2020-02-14 北京首都在线科技股份有限公司 Method, device, equipment, storage medium and system for cleaning attack data
CN111131199A (en) * 2019-12-11 2020-05-08 中移(杭州)信息技术有限公司 Method, device, server and storage medium for controlling traffic cleaning of service attack
CN111131199B (en) * 2019-12-11 2022-06-03 中移(杭州)信息技术有限公司 Method, device, server and storage medium for controlling traffic cleaning of service attack
CN111224960A (en) * 2019-12-27 2020-06-02 北京天融信网络安全技术有限公司 Information processing method, information processing device, electronic equipment and storage medium
CN111224960B (en) * 2019-12-27 2022-07-12 北京天融信网络安全技术有限公司 Information processing method, information processing device, electronic equipment and storage medium
CN111385303A (en) * 2020-03-11 2020-07-07 江苏亨通工控安全研究院有限公司 Network security protection system and implementation method
CN111586018B (en) * 2020-04-29 2022-05-31 杭州迪普科技股份有限公司 Flow cleaning method and device
CN111586018A (en) * 2020-04-29 2020-08-25 杭州迪普科技股份有限公司 Flow cleaning method and device
CN113810348A (en) * 2020-06-17 2021-12-17 华为技术有限公司 Network security detection method, system, equipment and controller
CN112073409A (en) * 2020-09-04 2020-12-11 杭州安恒信息技术股份有限公司 Attack flow cleaning method, device, equipment and computer readable storage medium
CN112615813A (en) * 2020-11-23 2021-04-06 杭州朗澈科技有限公司 Protection method and system for kubernets cluster application
CN113411351A (en) * 2021-06-07 2021-09-17 中国人民解放军空军工程大学 DDoS attack elastic defense method based on NFV and deep learning
CN113905058A (en) * 2021-10-18 2022-01-07 杭州安恒信息技术股份有限公司 WAF and DDoS high-protection-based protection method, device and medium
CN114124744A (en) * 2021-11-24 2022-03-01 绿盟科技集团股份有限公司 Flow data display method and device, electronic equipment and storage medium
CN114124744B (en) * 2021-11-24 2023-06-02 绿盟科技集团股份有限公司 Flow data display method and device, electronic equipment and storage medium
CN114124836A (en) * 2022-01-25 2022-03-01 北京天维信通科技有限公司 Flow cleaning system and cleaning method based on uCPE built-in cleaning software
CN114124836B (en) * 2022-01-25 2022-11-25 北京天维信通科技有限公司 Flow cleaning system and cleaning method based on uCPE built-in cleaning software

Also Published As

Publication number Publication date
CN110113435B (en) 2022-01-14

Similar Documents

Publication Publication Date Title
CN110113435A (en) A kind of method and apparatus of flow cleaning
Agrawal et al. Defense mechanisms against DDoS attacks in a cloud computing environment: State-of-the-art and research challenges
Liaskos et al. A novel framework for modeling and mitigating distributed link flooding attacks
CN112615818B (en) SDN-based DDOS attack protection method, device and system
Manavi Defense mechanisms against distributed denial of service attacks: A survey
Iyengar et al. A fuzzy logic based defense mechanism against distributed denial of service attack in cloud computing environment
US10326736B2 (en) Feature-based classification of individual domain queries
CN107135187A (en) Preventing control method, the apparatus and system of network attack
CN107426230B (en) Server scheduling method, apparatus, system, storage medium and equipment
CN113992539B (en) Network security dynamic route hopping method and system
Du et al. DDoS defense deployment with network egress and ingress filtering
Chowdhury et al. EDoS eye: A game theoretic approach to mitigate economic denial of sustainability attack in cloud computing
Singh et al. Prevention mechanism for infrastructure based denial-of-service attack over software defined network
Wu et al. I-CIFA: An improved collusive interest flooding attack in named data networking
Chen et al. Defending against link flooding attacks in internet of things: A bayesian game approach
Zhauniarovich et al. Sorting the garbage: Filtering out DRDoS amplification traffic in ISP networks
Bawa et al. Enhanced mechanism to detect and mitigate economic denial of sustainability (EDoS) attack in cloud computing environments
CN106357661B (en) A kind of distributed refusal service attack defending method based on interchanger rotation
Mudgal et al. Spark-Based Network Security Honeypot System: Detailed Performance Analysis
Khan et al. Real-time cross-layer design for a large-scale flood detection and attack trace-back mechanism in IEEE 802.11 wireless mesh networks
CN106817268B (en) DDOS attack detection method and system
Dolev et al. Trawling traffic under attack overcoming ddos attacks by target-controlled traffic filtering
Khirwadkar Defense against network attacks using game theory
Maswood et al. A sliding window based monitoring scheme to detect and prevent ddos attack in data center networks in a dynamic traffic environment
Kalwar et al. TVis: A Light-weight Traffic Visualization System for DDoS Detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Applicant after: NSFOCUS Technologies Group Co.,Ltd.

Applicant after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Applicant before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Applicant before: NSFOCUS TECHNOLOGIES Inc.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant